Etsy joins bug bounty crew

Powered by SC Magazine
 

Offers $500 minimum, a t-shirt and a high-five.

Online art and clothing store Etsy has opened a bug bounty program that would reward security researchers for reporting vulnerabilities found on the website.

The company would offer a minimum of $US500 ($A479) for bugs and more for “distinctly creative or severe security bugs”. It did not state a maximum payout.

It would accept web application vulnerabilities such as Cross Site Scripting and Cross-site request forgeries, authentication issues, remote code execution, and authorisation problems within Etsy.com, the site’s application programming interface, and its mobile application.

“This means please do not test for: spam, social engineering, or denial of service vulnerabilities,” it said in a statement.

“You also must not disrupt any service or compromise anyone’s data.”

It said bug bounties were “industry best practice”.

The bug bounty program follows the company's publication of responsible disclosure policies in April that eliminated fear of legal action in response to unauthorised security tests and encouraged researchers to report vulnerabilities.

Those who previously reported flaws will be paid under the new program.

Etsy is the latest in a string of companies including Google, Mozilla, Facebook and Samsung prepared to shell out for privately-disclosed vulnerabilities.

PayPal began offering a similar option in June after the company’s chief security officer Michael Barrett changed his tune on paying for vulnerabilities.

Google paid out $2 million in bounties at the Malaysian Hack in the Box conference, including $60,000 for researchers who pull off a "full Chrome exploit", which involves an attack that leverages only vulnerabilities in the Chrome browser. 

It paid $50,000 for a "partial Chrome exploit", which requires the use of bugs in third-party software.

But Microsoft considers bug bounties superfluous. Its security response centre was inundated with free vulnerability reports from researchers looking for fame, not fortune. Up to 80 percent of Microsoft vulnerabilities were privately and freely reported.

Redmond has instead chosen to pay up to $20,000 under its BlueHat competition to researchers who create defensive technologies which block a class of exploits.

Copyright © SC Magazine, Australia


Etsy joins bug bounty crew
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Optus expands 4G coverage
Oct 10, 2014
If you rely on an Optus phone for work you might be interested to know that there are now 200 ...
Microsoft Office is now free for some charities
Oct 10, 2014
Microsoft has announced that eligible Australian non-profit organisations and charities can now ...
Vodafone lights up 4G in Adelaide
Oct 9, 2014
Live and work in Adelaide? Vodafone has switched on its 4G network in the city and suburbs.
Next year tradies will be able to take payments using ingogo
Oct 3, 2014
Ingogo is going to provide a card payment service for Xero users.
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 333

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 138

Vote